Operational technologies include Supervisory Control and Data Acquisition (SCADA), Industrial Control Systems (ICS), and Distributed Control Systems (DCS). OT can be involved in critical processes and, if compromised, can have devastating consequences, including loss of life. Water treatment plants, power distribution, traffic management, and other critical infrastructure rely on well-functioning operational technology solutions.
The increase in OT devices used in these industries and others such as healthcare and life sciences makes cybersecurity more important. According to Gartner, Over 80% of organizations have implemented OT technology, and 20% have detected an OT-related security attack within the last three years. According to the 2019 Ponemon Cyber Security in Operational Technology Report: 60% of respondents express concern about attacks against OT.
Operational technology security challenges
Outside of B2B and B2C software, APIs are frequently used in OT, acting as the glue for communicating specialized data descriptions such as vibration and pressure between equipment and control software. For example, in an OT scenario, a predictive maintenance application running on factory floor equipment as part of a SCADA system might open a secure HTTPS connection to a server and request motor runtime data. Using the API, the factory equipment knows exactly how to connect to the server, retrieve the list of available data resources, and read and write values for those resources. The server returns motor uptime and an indication of the next preventative maintenance schedule to the predictive maintenance application. Therefore, misuse of the APIs involved in these communications can result in data theft or disruption.
The OT security challenge doesn’t really arise with disconnected or air-gapped systems, but when everything becomes available on the public internet. The playing field for attackers becomes more interesting and sophisticated as more facilities become interdependent as part of the overall manufacturing process. Unfortunately, there is a lot of documentation, public Python libraries, and online tools that attackers can quickly become familiar with.
Not all of these systems are manufacturing focused. Power generation, utilities, transportation, and logistics companies utilize similar systems and similar methods. The basics are devices that communicate, collect data, make decisions, take action, and allow humans to change. Often these systems feed each other through an overall SaaS-based “director” that can tie together many such systems. Since production often requires fine-tuning, there are many different places where human-machine interface (HMI) points reside. These can be as simple as a button for adding a little ingredient, or as sophisticated as the primary director for the entire system.
Each point along the system can be attacked. Similar to attacks seen against web applications and APIs, attacks on the central point of the human interface are probably the most impactful. Looking at the web display, is that tank really still full? What if it’s a necessary ingredient in the production process and something breaks when that ingredient is gone? An entire batch can fail in QA. Communication signals of this kind can be interrupted, altered or even manipulated if not properly protected.
Apply the OWASP API Security Top 10 to your operational technology
When looking to improve operational technology and other types of controlled environments involved in SCADA systems, more and more communications are standard TCP/IP, no longer proprietary protocols, but standard HTTP API channels. Use the. The combination of rapid development and adoption of older technologies that were not designed with security in mind can lead to serious problems in this kind of environment. Many of these systems weren’t built all at once and often incorporate older technology. As we’ve seen in previous SCADA research, credential reuse happens all the time in factories, and many of these systems have a root or administrator weakness. The password is the same for all systems installed by the same company.
The CQ Prime Threat Research Team recently API Security Unholy Trinity Attackers used multiple OWASP API Security Top 10 exploits to achieve their malicious end goal. The same threats apply in the OT world.
- Improper Authentication (OWASP API 2): This flaw allows access or granted credential stuffing. When applied to OT, authentication is critical and should not be shared credentials.
- Excessive data exposure (OWASP API 3): APIs that communicate data that should not be transferred often leak data through standard http response analysis. The OT world may have assumed that communications would never be exposed, so masking and encryption weren’t considered.
- Finally, we’re seeing that many of the API endpoints in use, known as Poor Asset Management (OWASP API 9), are not well known to organizations. These are 3rd Party APIs, SCADA or DCS APIs exposed outside of a documented process have little or no oversight.
These aren’t the only API flaws that are exploited on a regular basis, but they certainly are the worst when they co-exist. We’ve also seen abuse of API business logic outside of the OWASP categories, so it’s important to take a broader view of the threat landscape beyond just the OWASP-defined threats.
Address API security challenges for operational technology
So what can you do? You can do the same with your web application’s API. It’s important to understand the instrumentation and what you have. HMIs can be instrumented to review transactions, data collection, issue alerts, and enforce anomalies.
If you’re interested in what the OT, SCADA, and ICS APIs are doing, instrumentation can help you see what transactions are going on, what data is in them, and what the transactions are doing. You can check if there is any problem. Add data points and set thresholds that should not be exceeded to keep your environment safe.
Shadow capabilities must be revealed before they can be exploited by attackers. This includes APIs that help OT, SCADA, and ICS run smoothly. With hundreds of APIs in use in your organization, knowing what you don’t know is very important.
I’ll help you. You can use API Spyder to find APIs in OT, SCADA, and ICS.
The API Security post in Operational Technology (OT) first appeared in Cequence Security.
*** This is Cequence Security’s Security Bloggers Network syndicated blog written by Jason Kent. Read the original post: https://www.cequence.ai/blog/api-security/api-security-in-your-operational-technology-ot/
